Protecting Your Cloud Applications with App ID and Existing IBM Cloud Identity User Repository

4 min read

Integrate IBM Cloud App ID and IBM Cloud Identity.

For developers, setting up application security can one of the hardest parts of creating an app. In most cases, developers prefer to focus on delivering the business value while leaving any security aspects to experts and specialized products.

There are quite a few well-known and trusted Identity and Access Management products on the market that you might already be familiar with, but today I'm going to focus on two of them: IBM Cloud App ID and IBM Cloud Identity

What is IBM Cloud App ID?

IBM Cloud App ID is a cloud service that allows developers to easily add authentication and authorization capabilities to their applications while all the operational aspects of the service are handled by the IBM Cloud Platform

App ID is intended for developers that don't need or want to know anything about various security protocols. The service provides capabilities like Cloud Directory (a highly scalable user repository in the cloud), enterprise identity federation, social login, SSO, customizable Login Widget UI, flexible access controls and user profiles, multi-factor authentication, a set of open-sourced SDKs for easy app instrumentation, and more. 

A major benefit of using App ID is the deep integration with other IBM Cloud components that creates a seamless experience for easy protection of cloud native applications, including IBM Cloud Kubernetes Service, Cloud Functions, Cloud Foundry, API Connect, Activity Tracker, and more.  

What is IBM Cloud Identity?

IBM Cloud Identity is a service that allows you to connect your users (and things) to any application that you have running either inside or outside of the enterprise. That means anything from legacy apps running in your data center to the new cloud native applications you are building for multicloud environments.  

Cloud Identity provides tools for developers but also makes it easy for administrators to configure access control policies that can be applied at runtime without modifying the underlying application. In addition to the capabilities you usually expect from an identity service, Cloud Identity provides advanced features like adaptive access, password-less authentication (e.g., FIDO2 and QR code based MFA), API protection, user governance, and more.

Configuring App ID to use an existing IBM Cloud Identity instance

So, the question that brought you to this blog: What if I already have an existing user repository in IBM Cloud Identity but I want to use App ID for all of the benefits that come from the integrated IBM Cloud experience? Or, what if I want to add more advanced authentication features, like password-less authentication, to my app?

The short answer—no problem! You can connect IBM Cloud App ID to your IBM Cloud Identity instance. Check out the following video tutorial and instructions to learn how to maximize the benefits of using both services to protect an application that runs on OpenShift with zero code changes or redeploys.

Recapping the steps

  1. Starting in the App ID dashboard:
    1. Go to SAML 2.0 Federation under Identity Providers.
    2. Specify the name you'd like to use for the provider.
    3. Click Download SAML Metadata file.
    4. Open the downloaded file.
    5. Note the entityID property under <EntityDescriptor> element.
    6. Note the Location property under <AssertionConsumerService> element.
  2. Switch to the Cloud Identity Dashboard:
    1. Make sure your Cloud Identity instance has at least one user you'll be able to sign in with.
    2. Go to Applications and click Add application.
    3. Select a Custom Application type and give it a name.
    4. Go to the Sign-on tab.
    5. Copy the entityID value from 1.5 to the Provider ID box.
    6. Copy the Location value from 1.6 to the Assertion Consumer Service URL (HTTP-POST) box.
    7. Save your configuration and select users that are entitled to use this application.
    8. Switch back to the Sign-on tab.
    9. Note the Provider ID value on the right side of the screen.
    10. Note the Login URL on the right side of the screen.
    11. Note the Signing Certificate on the right side of the screen.
  3. Back in the App ID dashboard:
    1. Copy the Provider ID value from 2.9 to the entityID box.
    2. Copy the Login URL value from 2.10 to the Sign-in URL box.
    3. Copy the Signing Certificate value from 2.11 to the Primary Certificate box.
    4. Save your settings.
    5. Click the Test button to see everything in working together.

That's it, you're done! App ID is now integrated with Cloud Identity. So, you can start enjoying the superb experience of easily adding user authentication to your app, protecting applications running on Kubernetes or OpenShift clusters, getting administrative and authentication events in Activity Tracker, and more.

Feedback and resources

We’d love to hear from you with feedback and questions:

  • Reach out directly to the development team on Slack.
  • If you have technical questions about App ID, post your question on Stack Overflow and tag your question with ibm-appid.
  • For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the appid tag.
  • Open a support ticket in the IBM Cloud menu.

To learn more about the service and get started, check out the following links.

Be the first to hear about news, product updates, and innovation from IBM Cloud